CVE-2017-11501 - OpenCVE

NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nixos Project	Nixos

Configuration 1 [-]

cpe:2.3:o:nixos_project:nixos:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://openwall.com/lists/oss-security/2017/07/20/1
https://github.com/NixOS/nixpkgs/issues/27506
https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-07-20T23:00:00

Updated: 2024-08-05T18:12:40.130Z

Reserved: 2017-07-20T00:00:00

Link: CVE-2017-11501

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-07-20T23:29:00.247

Modified: 2023-11-07T02:38:17.983

Link: CVE-2017-11501

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-07-20T00:00:00", "descriptions": [{"lang": "en", "value": "NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-20T23:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://openwall.com/lists/oss-security/2017/07/20/1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/NixOS/nixpkgs/issues/27506"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-11501", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://openwall.com/lists/oss-security/2017/07/20/1", "refsource": "CONFIRM", "url": "http://openwall.com/lists/oss-security/2017/07/20/1"}, {"name": "https://groups.google.com/forum/#!topic/nix-security-announce/qrDU0KH_ZRk", "refsource": "CONFIRM", "url": "https://groups.google.com/forum/#!topic/nix-security-announce/qrDU0KH_ZRk"}, {"name": "https://github.com/NixOS/nixpkgs/issues/27506", "refsource": "CONFIRM", "url": "https://github.com/NixOS/nixpkgs/issues/27506"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T18:12:40.130Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2017/07/20/1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/NixOS/nixpkgs/issues/27506"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-11501", "datePublished": "2017-07-20T23:00:00", "dateReserved": "2017-07-20T00:00:00", "dateUpdated": "2024-08-05T18:12:40.130Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:nixos_project:nixos:*:*:*:*:*:*:*:*", "matchCriteriaId": "17B2506F-7453-4F4D-BC34-94FD6A02DB24", "versionEndIncluding": "17.03", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf."}, {"lang": "es", "value": "NixOS versi\u00f3n 17.03 y anteriores tienen una ausencia predeterminada involuntaria de la comprobaci\u00f3n de certificado SSL para LDAP. El m\u00f3dulo users.ldap NixOS implementa la identificaci\u00f3n de usuarios contra servidores LDAP por medio de un m\u00f3dulo PAM. Se encontr\u00f3 que si TLS est\u00e1 habilitado para conectarse al servidor LDAP con users.ldap.useTLS, la verificaci\u00f3n entre iguales se deshabilitar\u00e1 incondicionalmente en /etc/ldap.conf."}], "id": "CVE-2017-11501", "lastModified": "2023-11-07T02:38:17.983", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-07-20T23:29:00.247", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Mitigation", "Patch", "Third Party Advisory"], "url": "http://openwall.com/lists/oss-security/2017/07/20/1"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/NixOS/nixpkgs/issues/27506"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}